diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig index 0be875e886..e6a4fc8324 100644 --- a/src/southbridge/intel/bd82x6x/Kconfig +++ b/src/southbridge/intel/bd82x6x/Kconfig @@ -148,4 +148,14 @@ config LOCK_MANAGEMENT_ENGINE If unsure, say N. +config LOCK_SPI_ON_RESUME + bool "Lock all flash ROM sections on S3 resume" + default n + help + If the flash ROM shall be protected against write accesses from the + operating system (OS), the locking procedure has to be repeated after + each resume from S3. Select this if you never want to update the flash + ROM from within your OS. Notice: Even with this option, the write lock + has still to be enabled on the normal boot path (e.g. by the payload). + endif diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c index bcc2f3dad9..331e26cab1 100644 --- a/src/southbridge/intel/bd82x6x/finalize.c +++ b/src/southbridge/intel/bd82x6x/finalize.c @@ -26,6 +26,14 @@ void intel_pch_finalize_smm(void) { +#if CONFIG_LOCK_SPI_ON_RESUME + /* Copy flash regions from FREG0-4 to PR0-4 + and enable write protection bit31 */ + int i; + for (i = 0; i < 20; i += 4) + RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | (1 << 31); +#endif + /* Set SPI opcode menu */ RCBA16(0x3894) = SPI_OPPREFIX; RCBA16(0x3896) = SPI_OPTYPE;